Summary: | kdm allows logins even if shell is set to /sbin/nologin | ||
---|---|---|---|
Product: | [Unmaintained] kdm | Reporter: | Caleb Cushing <xenoterracide> |
Component: | general | Assignee: | kdm bugs tracker <kdm-bugs-null> |
Status: | RESOLVED NOT A BUG | ||
Severity: | normal | ||
Priority: | NOR | ||
Version: | unspecified | ||
Target Milestone: | --- | ||
Platform: | Arch Linux | ||
OS: | Unspecified | ||
Latest Commit: | Version Fixed In: | ||
Sentry Crash Report: |
Description
Caleb Cushing
2009-11-15 08:06:04 UTC
the only way I've found to lock the account is to lock the passwd sudo passwd -l username event setting the expire date to 1 doesn't work. -l, --lock Lock the password of the named account. This option disables a password by changing it to a value which matches no possible encrypted value (it adds a '!' at the beginning of the password). Note that this does not disable the account. The user may still be able to login using another authentication token (e.g. an SSH key). To disable the account, administrators should use usermod --expiredate 1 (this set the account's expire date to Jan 2, 1970). Users with a locked password are not allowed to change their password. you didn't add the pam_nologin module to the kde pam stack. bah, sorry, i misread. you want pam_shells, of course. i have no idea why --expiredate 1 doesn't work - it might be a bug in pam_unix (or whatever else main authentication module you're using). i know that passwd -e works, and as it is the same from kdm's pov, i can safely deny any responsibility. #%PAM-1.0 auth required pam_unix.so auth required pam_nologin.so account required pam_unix.so password required pam_unix.so session required pam_unix.so session required pam_limits.so not knowing exactly how it works... what if I was bypassing passwords with kdm using autologin? autologin uses a separate service definition, but other than that it behaves just normally, i.e. it will do exactly what you told it to. read the pam admin guide for details. does kde provide pam configuration files for kdm? or is that a distribution thing? if it's a distribution thing why doesn't kde do it? if no kde pam service definitions are to be found yet, make install (run as root) will try to derive appropriate ones from existing ones. if that fails, too bad. it is a distribution and admin thing, after all. |